Beacon Platform Docs

Security Model

2 min read

Overview

  • Admin endpoints are guarded in code by ADMIN_TOKEN/ADMIN_SECRET or a Cloudflare Access JWT.
  • Public endpoints serve sanitized aggregates only.
  • /pulse/daily.json is gated by PUBLIC_DAILY_DIGESTS; when false it should require admin auth.

Sources: beacon-platform/AUDIT_REPORT.md, beacon-platform/docs/privacy.md

Auth boundaries

Ingest worker (admin paths)

Routes include:

  • /presign, /upload, /files, /exports/*, /clear
  • /regenerate/, /replay/, /quota/*, /pipeline/daily-config
  • /communities/*

These should require ADMIN_TOKEN/ADMIN_SECRET or cf-access-jwt-assertion.

Sources: beacon-platform/AUDIT_REPORT.md, beacon-platform/docs/architecture.md

Public worker (admin helpers)

Admin helpers live under /admin/* (communities, sources, assign-source). Access should be enforced via token or Cloudflare Access.

Sources: beacon-platform/AUDIT_REPORT.md, beacon-platform/docs/architecture.md

Public endpoints

  • /pulse.json, /pulse/history.json, /pulse/trends.json, /pulse, /pulse/embed are public.
  • /pulse/daily.json is public only when PUBLIC_DAILY_DIGESTS is enabled.

Sources: beacon-platform/docs/architecture.md, beacon-platform/AUDIT_REPORT.md

Access control implementation

  • If ADMIN_TOKEN or ADMIN_SECRET is set, requests must send x-admin-token or authorization header matching the secret.
  • If no token is set, cf-access-jwt-assertion is accepted.
  • Cloudflare Access at the edge is the recommended enforcement layer for production.

Sources: beacon-platform/AUDIT_REPORT.md

Rate limiting and abuse protection

  • Rate limiting is not implemented in code.
  • Recommended: WAF/rate limit rules for upload and admin endpoints, and Access policies for /admin*.

Sources: beacon-platform/REMEDIATION_PLAN.md, beacon-platform/infra/ADMIN_UPLOAD.md

Secrets and config

Common environment variables:

  • ADMIN_TOKEN / ADMIN_SECRET
  • PUBLIC_DAILY_DIGESTS
  • AI_MODEL_* (daily/weekly analysis and narrative)
  • DIGEST_PIPELINE_MODE / DAILY_DIGEST_CONCURRENCY / DAILY_DIGEST_START_STAGGER_MS

Sources: beacon-platform/README.md, beacon-platform/docs/parallel-digest-pipeline.md, beacon-platform/AUDIT_REPORT.md

Open questions

  • Confirm admin auth is configured in production (token or Access).
  • Confirm daily digests are not publicly exposed unless intended.
  • Confirm log retention and access policies in Cloudflare.

Sources: beacon-platform/AUDIT_REPORT.md

Graph View

Backlinks